1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-03-09 15:40:17 +00:00

Merge pull request #2573 from holta/sudoers_anonymous

Let's consider variable "iiab_admin_can_sudo: True" & support "admin_console_group: iiab-admin" and explain them for all in roles/iiab-admin/README.rst
This commit is contained in:
A Holt 2020-10-16 17:50:20 -07:00 committed by GitHub
commit a30a8b8f36
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 254 additions and 194 deletions

View file

@ -27,7 +27,7 @@
state: present state: present
when: is_debuntu | bool when: is_debuntu | bool
- name: "Install 23 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget" - name: "Install 22 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget"
package: package:
name: name:
- acpid - acpid
@ -52,7 +52,7 @@
- rsync - rsync
#- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml #- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
- sqlite3 - sqlite3
- sudo #- sudo # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
- tar - tar
- unzip - unzip
#- usbmount # Moved to roles/usb_lib/tasks/install.yml #- usbmount # Moved to roles/usb_lib/tasks/install.yml

View file

@ -13,31 +13,59 @@
iiab-admin README iiab-admin README
================= =================
This role is home to a number of administrative (Ansible) playbooks: `Internet-in-a-Box <http://internet-in-a-box.org>`_ (IIAB) encourages you to pay attention to the security of your learning community.
Add Administrative User This Ansible playbook is one of the very first that runs when you install IIAB, and we hope reading this helps you understand your choices:
-----------------------
* Adds the Linux user that will allow you access to IIAB's Admin Console (http://box.lan/admin) if this has not already been done for you by IIAB's 1-line installer (http://download.iiab.io). Configure user 'iiab-admin'
* By default this is ``iiab-admin`` with password ``g0adm1n`` ---------------------------
* `admin-user.yml <tasks/admin-user.yml>`_ configures a Linux user that will give you access to IIAB's Admin Console (http://box.lan/admin) after IIAB is installed — and can also help you at the command-line with IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware, etc}.
* If initial creation of the user and password was somehow not already taken care of by IIAB's 1-line installer (http://download.iiab.io) or by your underlying OS, that too will be taken care of here.
* By default this user is ``iiab-admin`` with password ``g0adm1n``
* *Do change the default password if you haven't yet, by running:* **sudo passwd iiab-admin** * *Do change the default password if you haven't yet, by running:* **sudo passwd iiab-admin**
* After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password.
* If you prefer using a pre-existing user like ``pi`` or ``ubuntu`` etc, consider customizing variables ``iiab_admin_user_install``, ``iiab_admin_user`` and ``iiab_admin_user_group`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (please do this prior to installing IIAB !) * If you prefer to use a pre-existing user like ``pi`` or ``ubuntu`` (or any other username) customize the variable ``iiab_admin_user`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (preferably do this prior to installing IIAB!)
* Please read more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you won't need IIAB community support commands like `/usr/bin/iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_, `/usr/bin/iiab-hotspot-on <../network/templates/network/iiab-hotspot-on>`_, `iiab-check-firmware <../firmware/templates/iiab-check-firmware>`_, etc!)
* You can also set ``iiab_admin_user_install: False`` if you're sure you know how to do all this `account and sudo configuration <tasks/admin-user.yml>`_ manually.
Desiderata, for the historical record: Security
--------
* Auto-checking for the default password is implemented in `/etc/profile.d <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh>`_ when it exists). * A user MUST be a member of at least one of these 2 Linux groups, in order to log in to IIAB's Admin Console: (http://box.lan/admin)
* |ss| N.B. to create password hash use python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")' |se| |nbsp| (not recommended as of October 2020) #. ``iiab-admin`` (specified by ``admin_console_group`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_ and `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_)
* |ss| Make a sudoer |se| |nbsp| (likely going away in October 2020, as group 'iiab-admin' should be recommended instead of group 'sudo') #. ``sudo``
* |ss| Add /root/.ssh and dummy authorized_keys file as placeholder |se| |nbsp| (moved to `roles/openvpn/tasks/install.yml <https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml>`_) * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
* |ss| Force password for sudoers |se| |nbsp| (sudo flag ``NOPASSWORD:`` and the ``wheel`` group will no longer being used as of October 2020) * If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <../openvpn/tasks/install.yml>`_ to faciliate remote community support. Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security
* Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_) is implemented in `/etc/profile.d <templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop).
Add Packages for Remote Access Example
------------------------------ =======
* screen * If you later change your mind about ``sudo`` privileges for user 'iiab-admin' (as specified by ``iiab_admin_user``) then do this:
* lynx #. Go ahead and change the value of ``iiab_admin_can_sudo`` (to either True or False) in `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_
#. Make sure that ``iiab_admin_user_install: True`` is also set.
#. Then re-run this Ansible playbook, by running ``cd /opt/iiab/iiab`` followed by ``sudo ./runrole --reinstall iiab-admin``
Historical Notes
================
* We no longer support setting your password using a hash e.g. ``python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'`` (or the Python 3 equivalent, ``python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'``) as these are very cumbersome — and worse, exposing your "salt" opens up your password to `possible attack <https://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided>`_. [October 2020]
* The sudo flag ``NOPASSWORD:`` and the ``wheel`` group are similarly no longer recommended, so that your IIAB faces fewer security risks. [October 2020]
Remote Support Tools
--------------------
The `iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_ and `OpenVPN <https://en.wikipedia.org/wiki/OpenVPN>`_ options mentioned above can greatly help you empower your community, typically during the implementation phase of your project, even if Linux is new to you.
Similarly, `access.yml <tasks/access.yml>`_ adds a couple text mode tools — extremely helpful over expensive / low-bandwidth connections:
* `lynx <https://en.wikipedia.org/wiki/Lynx_(web_browser)>`_
* `screen <https://linuxize.com/post/how-to-use-linux-screen/>`_
*More great tools to help you jumpstart community action at a distance:*
* http://FAQ.IIAB.IO > "How can I remotely manage my Internet-in-a-Box?"
Admin Console Admin Console
------------- -------------

View file

@ -1,24 +1,16 @@
# Must keep roles/0-init/defaults/main.yml sync'd ? (Seems no longer true as of 2018-10-15) # Please read more about the 'iiab-admin' Linux user, for login to IIAB's
# Admin Console (http://box.lan/admin) AND to help you at the command-line:
# https://github.com/iiab/iiab/tree/master/roles/iiab-admin
# https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel # iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc.
# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n). # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
# iiab_admin_user_install: True # iiab_admin_user_install: True
# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing # iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional.
# Linux user that has sudo access, for login to Admin Console http://box/admin # iiab_admin_published_pwd: g0adm1n # Default password. For pwd warnings too.
# admin_console_group: iiab-admin # This group & sudo log in to Admin Console
# ODDLY THIS IS ALSO USED BY roles/usb-lib/tasks/main.yml TO SET GROUP PERM FOR /library/www/html/local_content (ISN'T {{ apache_user }} MORE APPROPRIATE?)
# iiab_admin_user: iiab-admin
# For live checks/alerts of published pwds
# iiab_admin_published_pwd: g0adm1n
# Password hash to override above, if Ansible creates above user:
# iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
# Obtain a password hash - NEW MORE SECURE WAY:
# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
# Obtain a password hash - OLD WAY:
# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!

View file

@ -1,6 +1,6 @@
- name: "Install textmode remote access packages: screen, lynx" - name: "Install text mode packages, useful during remote access: screen, lynx"
package: package:
name: name:
- screen - lynx
- lynx - screen
state: present state: present

View file

@ -1,53 +1,56 @@
- name: Create user {{ iiab_admin_user }} in group sudo for Admin Console; set password from iiab_admin_pwd_hash if newly creating account # Summary of how this works with IIAB's Admin Console etc:
user: # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst
name: "{{ iiab_admin_user }}" # iiab-admin
password: "{{ iiab_admin_pwd_hash }}"
update_password: on_create
shell: /bin/bash
groups: sudo
#- name: Create a wheel group
# group:
# name: wheel
# state: present
#- name: Create a sudo group (redhat) # YOU CAN CHANGE THIS USER TO 'pi' OR 'ubuntu' ETC, IN /etc/iiab/local_vars.yml
# group: - name: Does user '{{ iiab_admin_user }}' (iiab_admin_user) exist? # iiab-admin BY DEFAULT
# name: sudo command: "id {{ iiab_admin_user | quote }}" # quote to avoid ';' exploits
# state: present register: user_info
# when: is_redhat | bool failed_when: False # Hides red errors (stronger than 'ignore_errors: yes')
#- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo' # admin_console_group: iiab-admin # PER default_vars.yml, SHOULD NEVER CHANGE
# user: - name: Establish Linux group '{{ admin_console_group }}' group, for login to Admin Console
# name: "{{ iiab_admin_user }}" group:
# groups: wheel,sudo name: "{{ admin_console_group }}"
- name: Edit the sudoers file -- first make it editable
file:
path: /etc/sudoers
mode: 0640
- name: Have sudo log all commands it handles
lineinfile:
regexp: logfile
line: "Defaults logfile = /var/log/sudo.log"
dest: /etc/sudoers
state: present state: present
- name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-* and /usr/sbin/iiab-*) at the command-line
user:
name: "{{ iiab_admin_user }}"
#group: "{{ iiab_admin_user }}" # Not nec. Anyway this happens during account creation b/c 'USERGROUPS_ENAB yes' is set in any modern /etc/login.defs
groups: "{{ admin_console_group }}" # What guarantees any user's ability to login to Admin Console, just in case the user is not a member of sudo in future. FWIW Ansible adds the user to this group in /etc/group even in cases where that's not nec -- i.e. user iiab-admin's primary group is normally sufficient if it (the correct GID, corresponding to group iiab-admin) is in the 4th column of /etc/passwd.
append: yes
shell: /bin/bash
#password: "{{ iiab_admin_pwd_hash }}" # 2020-10-14: DEPRECATED in favor
#update_password: on_create # of 'command: chpasswd' below.
- name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}' # g0adm1n
#shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} | chpasswd"
command: chpasswd # Equiv to line above, but safer
args:
stdin: "{{ iiab_admin_user | quote }}:{{ iiab_admin_published_pwd | quote }}"
when: user_info.rc != 0
# sudo-prereqs.yml needs to have been run!
- name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo
#command: "gpasswd -a {{ iiab_admin_user | quote }} sudo"
user:
name: "{{ iiab_admin_user }}"
groups: sudo
append: yes
when: iiab_admin_can_sudo
- name: Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo
command: "gpasswd -d {{ iiab_admin_user | quote }} sudo"
when: not iiab_admin_can_sudo
failed_when: False # Hides red errors (stronger than 'ignore_errors: yes')
#- name: Lets {{ iiab_admin_user }} sudo without password #- name: Lets {{ iiab_admin_user }} sudo without password
##- name: Lets wheel sudo without password ##- name: Lets wheel sudo without password
# lineinfile: # lineinfile:
# path: /etc/sudoers
# line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL" # line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL"
## line: "%wheel ALL= NOPASSWD: ALL" ## line: "%wheel ALL= NOPASSWD: ALL"
# dest: /etc/sudoers
- name: Remove the line which requires tty
lineinfile:
regexp: requiretty
dest: /etc/sudoers
state: absent
- name: End editing the sudoers file -- protect it again
file:
path: /etc/sudoers
mode: 0440

View file

@ -1,39 +1,32 @@
- include_tasks: admin-user.yml # Summary of how this works with IIAB's Admin Console etc:
when: iiab_admin_user_install | bool # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst
- include_tasks: access.yml
- name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default - name: Install lynx, screen
template: include_tasks: access.yml
src: sshpwd-profile-iiab.sh
dest: /etc/profile.d/
mode: '0644'
- name: Is this LXDE-pi? - name: Install sudo & /etc/sudoers with logging to /var/log/sudo.log
stat: include_tasks: sudo-prereqs.yml
path: /etc/xdg/lxsession/LXDE-pi
register: lx
- name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh" - name: Configure user iiab-admin / password and its group(s), if iiab_admin_user_install
template: include_tasks: admin-user.yml
src: sshpwd-lxde-iiab.sh when: iiab_admin_user_install
dest: /etc/xdg/lxsession/LXDE-pi/
mode: '0755'
when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
# 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does # Idea: institute precautionary system-wide published password warning(s)
# not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop # for user iiab-admin / g0adm1n, i.e. {{ iiab_admin_user }} with password
# (or pprompt.desktop as Raspbian has working since 2018-11-13!) Too bad as it # {{ iiab_admin_published_pwd }}, regardless whether the password is set:
# would be really nice to standardize this popup across Ubermix & all distros.. #
# Is this a permissions/security issue presumably? Official autostart spec is: # (1) by the OS installer
# https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html # (2) by the OS's graphical desktop tools
# Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537 # (3) at the command-line: sudo passwd iiab-admin
# (4) by IIAB's 1-line installer: http://download.iiab.io
# (5) by this role: roles/iiab-admin/tasks/admin-user.yml
# (6) by IIAB's Admin Console during installation
# ...and/or...
# (7) by IIAB's Admin Console > Utilities > Change Password
- name: Put line in /etc/xdg/lxsession/LXDE-pi/autostart to run the above (raspbian) - name: Install password warning(s)
lineinfile: include_tasks: pwd-warnings.yml
path: /etc/xdg/lxsession/LXDE-pi/autostart
line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
# RECORD iiab-admin AS INSTALLED # RECORD iiab-admin AS INSTALLED
@ -62,3 +55,7 @@
value: '"Admin User"' value: '"Admin User"'
- option: iiab_admin_user - option: iiab_admin_user
value: "{{ iiab_admin_user }}" value: "{{ iiab_admin_user }}"
- option: iiab_admin_user_install
value: "{{ iiab_admin_user_install }}"
- option: iiab_admin_can_sudo
value: "{{ iiab_admin_can_sudo }}"

View file

@ -0,0 +1,31 @@
- name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default
template:
src: sshpwd-profile-iiab.sh
dest: /etc/profile.d/
mode: '0644'
- name: Is this LXDE-pi?
stat:
path: /etc/xdg/lxsession/LXDE-pi
register: lx
- name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
template:
src: sshpwd-lxde-iiab.sh
dest: /etc/xdg/lxsession/LXDE-pi/
mode: '0755'
when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
# 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does
# not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop
# (or pprompt.desktop as Raspbian has working since 2018-11-13!) Too bad as it
# would be really nice to standardize this popup across Ubermix & all distros..
# Is this a permissions/security issue presumably? Official autostart spec is:
# https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html
# Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537
- name: Put line in /etc/xdg/lxsession/LXDE-pi/autostart to run the above (raspbian)
lineinfile:
path: /etc/xdg/lxsession/LXDE-pi/autostart
line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu

View file

@ -0,0 +1,27 @@
# roles/2-common/tasks/packages.yml also installed sudo, but that's too late
- name: 'Install package: sudo'
package:
name: sudo
- name: Temporarily make file /etc/sudoers editable (0640)
file:
path: /etc/sudoers
mode: 0640
- name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log -- in addition to the lengthier /var/log/auth.log'
lineinfile:
path: /etc/sudoers
regexp: logfile
line: "Defaults logfile = /var/log/sudo.log"
# Not nec (heavyhanded removal of customizations+comments) given sudo defaults.
#- name: Remove all lines that contain 'requiretty'
# lineinfile:
# path: /etc/sudoers
# regexp: requiretty
# state: absent
- name: End editing file /etc/sudoers -- protect it again (0440)
file:
path: /etc/sudoers
mode: 0440

View file

@ -3,6 +3,9 @@
# SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from... # SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from...
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
# CAUTION: popup warnings still don't appear on most OS's, as mentioned here:
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/pwd-warnings.yml#L19-L25
# For Localization/Translation: (use /usr/bin/gettext below if later nec!) # For Localization/Translation: (use /usr/bin/gettext below if later nec!)
#export TEXTDOMAIN=pprompt-iiab #export TEXTDOMAIN=pprompt-iiab
#. gettext.sh #. gettext.sh

View file

@ -44,8 +44,6 @@ check_user_pwd() {
# HISTORICAL: if password-free sudo access is truly nec, it can be set with # HISTORICAL: if password-free sudo access is truly nec, it can be set with
# "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older: # "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older:
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml
# CAUTION: popup warnings still don't appear on most OS's, as mentioned here:
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30
if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin g0adm1n if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin g0adm1n
echo echo

View file

@ -16,10 +16,11 @@
- php-fpm - php-fpm
- libnginx-mod-http-subs-filter - libnginx-mod-http-subs-filter
- name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console # 2020-10-16: Removed per #2560
user: #- name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console
name: "{{ apache_user }}" # www-data or apache, per /opt/iiab/iiab/vars/<OS>.yml # user:
groups: shadow # name: "{{ apache_user }}" # www-data or apache, per /opt/iiab/iiab/vars/<OS>.yml
# groups: shadow
- name: Remove NGINX default config /etc/nginx/sites-enabled/default - name: Remove NGINX default config /etc/nginx/sites-enabled/default
file: file:

View file

@ -6,9 +6,9 @@
# asterisk_chan_dongle: False # asterisk_chan_dongle: False
# pbx_signaling_ports_chan_sip: "5160:5161" # pbx_signaling_ports_chan_sip: 5160:5161
# pbx_signaling_ports_chan_pjsip: "5060" # pbx_signaling_ports_chan_pjsip: 5060
# pbx_data_ports: "10000:20000" # pbx_data_ports: 10000:20000
# pbx_http_port: 83 # pbx_http_port: 83
# #
# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml

View file

@ -11,7 +11,7 @@
# Monitor downloads at http://box:9091 or http://box:9091/transmission using Admin/changeme # Monitor downloads at http://box:9091 or http://box:9091/transmission using Admin/changeme
# transmission_http_port: 9091 # transmission_http_port: 9091
# transmission_url : "/transmission/" # transmission_url: /transmission/
# transmission_peer_port: 51413 # transmission_peer_port: 51413
# Provision Transmission with torrent(s) from http://pantry.learningequality.org/downloads/ka-lite/0.17/content/ # Provision Transmission with torrent(s) from http://pantry.learningequality.org/downloads/ka-lite/0.17/content/

View file

@ -33,7 +33,7 @@ yum_packages_dir: "{{ iiab_base }}/yum-packages"
downloads_dir: "{{ iiab_base }}/downloads" downloads_dir: "{{ iiab_base }}/downloads"
iiab_download_url: http://download.iiab.io/packages iiab_download_url: http://download.iiab.io/packages
content_base: "/library" content_base: /library
doc_base: "{{ content_base }}/www" doc_base: "{{ content_base }}/www"
doc_root: "{{ doc_base }}/html" doc_root: "{{ doc_base }}/html"
@ -50,20 +50,21 @@ language_priority: en es fr
# Real-time clock: set RTC chip family here. Future auto-detection plausible? # Real-time clock: set RTC chip family here. Future auto-detection plausible?
# rtc_id: ds3231 # rtc_id: ds3231
# Please read more about the 'iiab-admin' Linux user and group, which allow # Please read more about the 'iiab-admin' Linux user, for login to IIAB's
# you to log in to IIAB's Admin Console (http://box.lan/admin): # Admin Console (http://box.lan/admin) AND to help you at the command-line:
# https://github.com/iiab/iiab/tree/master/roles/iiab-admin # https://github.com/iiab/iiab/tree/master/roles/iiab-admin
# https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
#
iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc.
# Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml # configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
iiab_admin_user_install: True iiab_admin_user_install: True # If False, THE SETTING BELOW WILL BE IGNORED.
# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional.
# user that's a member of group sudo (or group below?) for Admin Console login: iiab_admin_published_pwd: g0adm1n # Default password. For pwd warnings too.
iiab_admin_user: iiab-admin admin_console_group: iiab-admin # This group & sudo log in to Admin Console.
iiab_admin_user_group: iiab-admin # 2020-10-13: Coming Soon?
iiab_admin_published_pwd: g0adm1n # For live checks/alerts of published pwds # DEPRECATED - Password hash to override above, if Ansible creates above user:
# Password hash to override above, if Ansible creates above user: # iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
# Obtain a password hash - NEW MORE SECURE WAY: # Obtain a password hash - NEW MORE SECURE WAY:
# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))' # python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
# Obtain a password hash - OLD WAY: # Obtain a password hash - OLD WAY:
@ -111,7 +112,7 @@ iiab_home_url: /home
# #
# Raspberry Pi OS requires WiFi country -- SET THIS IN /etc/iiab/local_vars.yml # Raspberry Pi OS requires WiFi country -- SET THIS IN /etc/iiab/local_vars.yml
host_country_code: US host_country_code: US
host_ssid: "Internet in a Box" host_ssid: Internet in a Box
host_wifi_mode: g host_wifi_mode: g
host_channel: 6 host_channel: 6
hostapd_secure: False hostapd_secure: False
@ -306,8 +307,8 @@ cups_port: 631
# Samba. Do a security audit seriously before deploying this. # Samba. Do a security audit seriously before deploying this.
samba_install: False samba_install: False
samba_enabled: False samba_enabled: False
samba_udp_ports: "137:138" samba_udp_ports: 137:138
samba_tcp_mports: "139,445" samba_tcp_mports: 139,445
shared_dir : "{{ content_base }}/public" # /library/public shared_dir : "{{ content_base }}/public" # /library/public
# USB_LIB # USB_LIB
@ -423,9 +424,9 @@ nextcloud_enabled: False
pbx_install: False pbx_install: False
pbx_enabled: False pbx_enabled: False
asterisk_chan_dongle: False asterisk_chan_dongle: False
pbx_signaling_ports_chan_sip: "5160:5161" pbx_signaling_ports_chan_sip: 5160:5161
pbx_signaling_ports_chan_pjsip: "5060" pbx_signaling_ports_chan_pjsip: 5060
pbx_data_ports: "10000:20000" pbx_data_ports: 10000:20000
pbx_http_port: 83 pbx_http_port: 83
# If using WordPress intensively, set nginx_high_php_limits further above. # If using WordPress intensively, set nginx_high_php_limits further above.
@ -510,7 +511,7 @@ transmission_group: root
# Monitor downloads at http://box:9091 or http://box:9091/transmission using Admin/changeme # Monitor downloads at http://box:9091 or http://box:9091/transmission using Admin/changeme
transmission_http_port: 9091 transmission_http_port: 9091
transmission_url : "/transmission/" transmission_url : /transmission/
transmission_peer_port: 51413 transmission_peer_port: 51413
# Provision Transmission with torrent(s) from http://pantry.learningequality.org/downloads/ka-lite/0.17/content/ # Provision Transmission with torrent(s) from http://pantry.learningequality.org/downloads/ka-lite/0.17/content/
@ -658,8 +659,8 @@ calibreweb_home: "{{ content_base }}/calibre-web" # /library/calibre-web
# xovis_db_name: xovis # xovis_db_name: xovis
# xovis_db_user: admin # xovis_db_user: admin
# xovis_db_password: admin # xovis_db_password: admin
# xovis_root: "/opt/xovis" # xovis_root: /opt/xovis
# xovis_backup_dir: "/library/users" # xovis_backup_dir: /library/users
# xovis_chart_heading: "My School: Usage Data Visualization" # xovis_chart_heading: "My School: Usage Data Visualization"
# Unmaintained # Unmaintained

View file

@ -22,23 +22,16 @@ language_priority: en es fr
# Real-time clock: set RTC chip family here. Future auto-detection plausible? # Real-time clock: set RTC chip family here. Future auto-detection plausible?
# rtc_id: ds3231 # rtc_id: ds3231
# Please read more about the 'iiab-admin' Linux user and group, which allow # Please read more about the 'iiab-admin' Linux user, for login to IIAB's
# you to log in to IIAB's Admin Console (http://box.lan/admin): # Admin Console (http://box.lan/admin) AND to help you at the command-line:
# https://github.com/iiab/iiab/tree/master/roles/iiab-admin # https://github.com/iiab/iiab/tree/master/roles/iiab-admin
# https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
#
iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc.
# Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml # configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
iiab_admin_user_install: True iiab_admin_user_install: True # If False, THE SETTING BELOW WILL BE IGNORED.
# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional.
# user that's a member of group sudo (or group below?) for Admin Console login:
iiab_admin_user: iiab-admin
iiab_admin_user_group: iiab-admin # 2020-10-13: Coming Soon?
# Password hash to be used if Ansible creates the above user:
iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
# Obtain a password hash - NEW MORE SECURE WAY:
# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
# Obtain a password hash - OLD WAY:
# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
# Set these to False if you do not want to install/enable IIAB Admin Console # Set these to False if you do not want to install/enable IIAB Admin Console
admin_console_install: True admin_console_install: True
@ -67,7 +60,7 @@ iiab_home_url: /home
# #
# Raspberry Pi OS requires Wi-Fi country since March 2018. Please set it here: # Raspberry Pi OS requires Wi-Fi country since March 2018. Please set it here:
host_country_code: US host_country_code: US
host_ssid: "Internet in a Box" host_ssid: Internet in a Box
host_wifi_mode: g host_wifi_mode: g
host_channel: 6 host_channel: 6
hostapd_secure: False hostapd_secure: False
@ -155,7 +148,7 @@ sshd_enabled: True
openvpn_install: True openvpn_install: True
openvpn_enabled: False openvpn_enabled: False
# Set /etc/iiab/openvpn_handle in advance here: # Set /etc/iiab/openvpn_handle in advance here:
openvpn_handle: "BIG-sized - Put Your Name Here" openvpn_handle: BIG-sized - Put Your Name Here
# Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
# Please see recommendations at: https://itsfoss.com/swap-size/ # Please see recommendations at: https://itsfoss.com/swap-size/

View file

@ -22,23 +22,16 @@ language_priority: en es fr
# Real-time clock: set RTC chip family here. Future auto-detection plausible? # Real-time clock: set RTC chip family here. Future auto-detection plausible?
# rtc_id: ds3231 # rtc_id: ds3231
# Please read more about the 'iiab-admin' Linux user and group, which allow # Please read more about the 'iiab-admin' Linux user, for login to IIAB's
# you to log in to IIAB's Admin Console (http://box.lan/admin): # Admin Console (http://box.lan/admin) AND to help you at the command-line:
# https://github.com/iiab/iiab/tree/master/roles/iiab-admin # https://github.com/iiab/iiab/tree/master/roles/iiab-admin
# https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
#
iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc.
# Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml # configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
iiab_admin_user_install: True iiab_admin_user_install: True # If False, THE SETTING BELOW WILL BE IGNORED.
# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional.
# user that's a member of group sudo (or group below?) for Admin Console login:
iiab_admin_user: iiab-admin
iiab_admin_user_group: iiab-admin # 2020-10-13: Coming Soon?
# Password hash to be used if Ansible creates the above user:
iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
# Obtain a password hash - NEW MORE SECURE WAY:
# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
# Obtain a password hash - OLD WAY:
# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
# Set these to False if you do not want to install/enable IIAB Admin Console # Set these to False if you do not want to install/enable IIAB Admin Console
admin_console_install: True admin_console_install: True
@ -67,7 +60,7 @@ iiab_home_url: /home
# #
# Raspberry Pi OS requires Wi-Fi country since March 2018. Please set it here: # Raspberry Pi OS requires Wi-Fi country since March 2018. Please set it here:
host_country_code: US host_country_code: US
host_ssid: "Internet in a Box" host_ssid: Internet in a Box
host_wifi_mode: g host_wifi_mode: g
host_channel: 6 host_channel: 6
hostapd_secure: False hostapd_secure: False
@ -155,7 +148,7 @@ sshd_enabled: True
openvpn_install: True openvpn_install: True
openvpn_enabled: False openvpn_enabled: False
# Set /etc/iiab/openvpn_handle in advance here: # Set /etc/iiab/openvpn_handle in advance here:
openvpn_handle: "MEDIUM-sized - Put Your Name Here" openvpn_handle: MEDIUM-sized - Put Your Name Here
# Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
# Please see recommendations at: https://itsfoss.com/swap-size/ # Please see recommendations at: https://itsfoss.com/swap-size/

View file

@ -22,23 +22,16 @@ language_priority: en es fr
# Real-time clock: set RTC chip family here. Future auto-detection plausible? # Real-time clock: set RTC chip family here. Future auto-detection plausible?
# rtc_id: ds3231 # rtc_id: ds3231
# Please read more about the 'iiab-admin' Linux user and group, which allow # Please read more about the 'iiab-admin' Linux user, for login to IIAB's
# you to log in to IIAB's Admin Console (http://box.lan/admin): # Admin Console (http://box.lan/admin) AND to help you at the command-line:
# https://github.com/iiab/iiab/tree/master/roles/iiab-admin # https://github.com/iiab/iiab/tree/master/roles/iiab-admin
# https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
#
iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc.
# Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml # configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
iiab_admin_user_install: True iiab_admin_user_install: True # If False, THE SETTING BELOW WILL BE IGNORED.
# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional.
# user that's a member of group sudo (or group below?) for Admin Console login:
iiab_admin_user: iiab-admin
iiab_admin_user_group: iiab-admin # 2020-10-13: Coming Soon?
# Password hash to be used if Ansible creates the above user:
iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
# Obtain a password hash - NEW MORE SECURE WAY:
# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
# Obtain a password hash - OLD WAY:
# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
# Set these to False if you do not want to install/enable IIAB Admin Console # Set these to False if you do not want to install/enable IIAB Admin Console
admin_console_install: True admin_console_install: True
@ -67,7 +60,7 @@ iiab_home_url: /home
# #
# Raspberry Pi OS requires Wi-Fi country since March 2018. Please set it here: # Raspberry Pi OS requires Wi-Fi country since March 2018. Please set it here:
host_country_code: US host_country_code: US
host_ssid: "Internet in a Box" host_ssid: Internet in a Box
host_wifi_mode: g host_wifi_mode: g
host_channel: 6 host_channel: 6
hostapd_secure: False hostapd_secure: False
@ -155,7 +148,7 @@ sshd_enabled: True
openvpn_install: True openvpn_install: True
openvpn_enabled: False openvpn_enabled: False
# Set /etc/iiab/openvpn_handle in advance here: # Set /etc/iiab/openvpn_handle in advance here:
openvpn_handle: "MIN-sized - Put Your Name Here" openvpn_handle: MIN-sized - Put Your Name Here
# Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
# Please see recommendations at: https://itsfoss.com/swap-size/ # Please see recommendations at: https://itsfoss.com/swap-size/